Lockbin is a web application for sending private email messages and files. It's free! People use it to send things like credit card numbers or confidential information.
Lockbin was built with Hipaa regulations as a primary consideration. Lockbin uses FIPS 140-2 encryption libraries, and takes extraordinary precautions to protect and destroy EPHI. Learn more about how Lockbin is Hipaa compliant.
You can, but someone might intercept your message. That's why people shouldn't send sensitive information over regular email. Lockbin also ends message persistence, which means your email message will not be backed up on email servers or stored in backup files. Network sniffers can also spy on your email traffic while in transit. Use Lockbin to obscure the content of your message and avoid these hazards to your privacy.
Your message and file attachments (data at rest) are protected by strong AES-256 bit encryption delivered from a FIPS 140-2 verified cryptolibrary. Lockbin users create their own account passwords. This means it's not necessary to agree on a password before you send someone a Lockbin message. This makes secure messaging easy. Lockbin also maintains a legacy capability to password encrypt a message. You can opt to encrypt the message using a password known to the recipient.
If the recipient clicks the Delete button after viewing the message, it is immediately marked for deletion and is no longer available for retrieval. If the file is read but not marked for deletion, it will be removed within 24 hours; this short delay gives the recipient time to download large files, or to resume interrupted downloads. Uncollected messages are automatically destroyed at six months. Files are deleted in batches using a military grade multi-pass erasure method.
No, we cannot see your message. The message is encrypted using your password before it is stored in our server, and the password does not remain on our servers. No unencrypted files are stored on our server. We have no way to decrypt your message, and we can't help you if you forget the password. Although we can see files that are encrypted, we are not able to decipher the files.
Pretty darn safe. Nothing is perfect, and neither is this, but it is certainly safer than sending sensitive data directly through email. The largest threats to this method would be 1) capturing the sender or recipient's password by spoofing the Lockbin website, or 2) a screen capture virus that images the decrypted message on the recipient's computer, or keystroke logger.
We absolutely will not spam nor voluntarily share any information about our users. If we did no one would use Lockbin. We make money by providing subscriptions to an advanced tier of services, and by consulting with companies who are interested in leasing a Lockbin server.
Yes. Lockbin offers a signed BAA on Premium and Enterprise plans (by request). Email support@lockbin.com with your account details and we'll send our standard BAA for your review and signature. The BAA commits us in writing to safeguard your PHI and notify you within 60 days of any breach, per HIPAA rule CFR 164.410(b).
Sign up for the Multi-User Enterprise plan ($10/user/month) and you'll be able to add as many sub-users as you need from your master account — one for each provider, hygienist, nurse, registrar, or front-desk staffer. You manage them all from one billing account, with a shared address book and optional admin copy of every message for compliance review. Add or remove users any time as staff turn over.
Yes. You don't have to switch email providers. Keep using Gmail or Microsoft 365 for everyday correspondence and use Lockbin for the moments when you're sending PHI, patient records, financial documents, or anything sensitive that needs to be encrypted at rest. Google Workspace's HIPAA BAA covers messages stored inside Gmail, but once an email leaves Google's servers and reaches a recipient on a different mail server, encryption depends on whatever that server allows. Lockbin closes that gap by holding the encrypted message on our servers and giving the recipient a link to read it over HTTPS, regardless of what email provider they use. No plugin or extension required.
Your privacy is a big deal. That's why we support the Electronic Frontier Foundation, both morally and financially. Visit them at https://eff.org Tell them Lockbin sent you. Some other projects we find interesting include https://www.torproject.org (anonymous web browsing), https://Crypto.cat(IM), and EFF's project to encrypt the web, https://www.eff.org/https-everywhere. There are many other worthwhile projects, but these are good places to begin.
If you use a strong password it is. AES-256 is not known to have been cracked through brute force. It's been said by people smarter than us that it would take a 4 GHz computer 4.5865*10^59 years to search just half the key space, a period of time in which most scientists believe the universe will cease to exist long before that happens.
Files and messages uploaded to Lockbin.com are first encrypted as they are streamed to the primary storage disks. They are never stored in an unencrypted state. The encrypted files are then mirrored to our backup server facility. We do not retain a backup of files which our users have removed or which have not been retrieved within six months.
All Lockbin.com data is stored within the United States. As a U.S. company, we are obligated to comply with legal court orders asking for information. If legally demanded, we must supply your encrypted documents and meta data to investigators. Lockbin does not have a back door and so we are unable to supply decryption keys for your documents.
Many people have expressed this sentiment to us recently, especially our friends in Europe. We are currently looking for partners in France, Germany, U.K. and Netherlands and other countries who would be willing to work with us to setup and manage locally hosted versions of Lockbin. We will keep you posted as our localization project continues. Should we take on local partners, you will see them announced here; if they are not listed here, they are not genuine.
